This site is using Web Assembly
Lets download this file:
https://fortune-ca29a1bd80cd.1753ctf.com/fortune_api.wasm
Lets disassemble this:
Then, decompile:
There is a flag verifying endpoint
I want to now debug the WASM code
- Install wasmtime
gdb --args wasmtime run -D debug-info -O opt-level=0 fortune_api.wasm
This does not work, because this WASM file cannot run independent of the JS runtime it was built for.
So, we debug on the browser
The wasm instance is called fittingly, instance
So, if we want to memory dump, we can do:
var mem = new Uint8Array(instance.exports.memory.buffer)
console.log(mem.slice(68640,68650))Looking at the memory dump of 68640, we get this list:
this just corresponds to this route: Not anything of note1
There is a function in the decompilation that is called GetFlag
It appears to be uncalled in the original wasm file:
Ok, makes sense, it simply sends a GET request to the backend for verification. Makes sense, wouldn’t have anything client-side to read the flag then?
